Enterprise Risk Management July 2014

There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction. ~ John F. Kennedy

Risk: adversely affects an organization’s ability to achieve its goals and

objectives – What is our “tolerance” for risk?

Opportunity: assists an organization’s ability to achieve its goals and

objectives – What is our “appetite” for risk?

Vision: Create a risk-aware culture that educates its members on risk

management, allowing the University to identify risks and make plans to

avoid material impact on finances and operations while encouraging the

acceptance of manageable risks

2

Enterprise Risk Management is a structured process designed to:

Support the achievement of University goals

Identify potential threats and manage them within our tolerance for risk

Maintain a balanced view of risk and reward

Include people at every level of the organization

Provide reasonable assurance to management and the Board of Trustees

3

Provides strategic risk support & oversight through a systematic process

of understanding, evaluating and fostering action on significant risks

Establishes a portfolio approach to managing risk, considering internal,

external and cross-entity risks

Promotes alignment of strategy and risk appetite

Promotes an environment of ownership of and accountability for

significant risks and the response to those risks

Provides a foundation for superior planning and budgeting

4

5

ERM considers risks that either exist solely within Risk Centers or impact multiple areas.

Comparative Responsibilities Enterprise Risk Management

University Audits Univ. Office of Risk Management

Campus Administration

Shared Goal

Support ACHIEVEMENT OF UNIVERSITY OBJECTIVES by limiting material impacts, while

encouraging the acceptance of manageable risks

Focus STRATEGIC OVERSIGHT FINANCIAL OPERATIONAL

Purpose Promote a RISK-

INTELLEGENT

CULTURE leading to

integrated and

coordinated risk

identification and

management

Provide OBJECTIVE

ASSURANCE that

the risk

management

process is working

effectively

Provide RISK

FINANCING, including

commercial and self

insurance for funding

risk

Provide LOSS

CONTROL and

PREVENTION

6

ERM at the University of Illinois Office of ERM established November 2009

Process is based on facilitation

• The risk owners are better positioned to manage the risk

• Process adds value by providing support and a holistic perspective

Enterprise-wide risk assessment every two years

• Raise risk consciousness

• Identify and review significant risks

• Promote mitigation strategies

7

Executive Risk Management Committee

ERM Process

Risk Assessment Council

Administrative Reporting

Process Effectiveness & Consulting

Strategic Risk Information

Business & Finance Academic Affairs

External Relations

Medical

Governance & Org

Student Affairs

Compliance

Research

Human Resources

Treasury

Information Tech.

Risk Centers

Risk Data

University of Illinois Board of Trustees

President

Vice President / Chief Financial Officer

Office of Enterprise Risk Management

Sr. Assoc. VP - OBFS

Exec. Director of University

Audits

Exec. Director University Risk Mgmt.

8

Strategic Risk Centers

Risk Centers provide a nexus for related risks, promote efficient

management of risks and encourage a focus on risks that impact a

particular area

Risk Center Leaders oversee the assessment of risks within their

respective Risk Centers and look for risk relationships with other Risk

Centers

Risk Owners have responsibility for specific risks, are subject matter

experts and are positioned to influence the organization regarding the risk

Risks Without Owners are defined as “Institutional” and should be

mitigated at the enterprise level

9

Accountability For Risk

10

ERM Basic Process

?

IDENTIFY OBJECTIVES

IDENTIFY RISK

SPECIFY RISK TOLERANCE LEVEL

MEASURE INDIVIDUAL RISK

REDUCE RISK

CONTROL AND MONITOR

EXCEEDS TOLERANCE

WITHIN TOLERANCE

REPORT TO RISK ASSESSMENT COUNCIL ? EXCEEDS TOLERANCE WITHIN TOLERANCE

11

LIKELIHOOD

Score Definition

5 Almost certain; expected to occur

4 Likely; probably will occur

3 Possible; might occur at some time

2 Unlikely; could occur at some time

1 Rare; may occur

IMPACT

Score Definition

(Financial / Non-Financial)

5 Greater than $50 million

Extreme reputational impact

4 $25 million to $50 million

High reputational impact

3

$5 million to $25 million

Medium to low reputational impact

2 $100,000 to $5 million

Low to no reputational impact

1 Less than $100,000

No reputational impact

(Impact and Likelihood reflect existing controls)

Or

Or

Or

Or

Or

$50 million Scale

Risk Score * Consequences Immediate Actions

Very High Risk (21-25)

Extreme financial loss; extreme reputational impact

Requires essential and immediate allocation and organization of resources to manage/mitigate the risk; establish plans and countermeasures.

High Risk (16-20)

High financial loss; high reputational impact

Requires priority allocation of resources for management and/or mitigation; establish plans and countermeasures.

Moderate Risk (11-15)

Moderate financial loss; medium to low reputational impact

Allocation of resources for study is desirable; risk should be monitored for increases in impact or likelihood.

Low Risk (6-10)

Low financial loss; low to no reputational impact Generally does not require action, but should be reviewed periodically.

Very Low Risk (1-5)

Negligible financial loss; no reputational impact No action required. 12

* Risk Score = Impact (1 to 5) x Likelihood (1 to 5)

13

Dashboard - Screening Risks for materiality based on the Risk Score

Impact – Reputational and/or Financial

Like

lihoo

d

Very Low Low Moderate High Very High

Major Initiatives

Risk Culture Survey

Risk Appetite Statements and Tolerance Guidelines

ERM Information System (ERMIS)

Risk Committees

Response Framework

Unit Level ERM Process 14

Risk Culture Risk culture was raised persistently as an issue during the course of both

enterprise-wide risk assessments. Comments offered include:

• “…consistently reluctant to any risk taking”

• “…unwilling to find solutions that accept some level of reasonable risk”

• “…unclear how much risk is acceptable”

• “…no consideration of risk versus reward in many areas”

Risk Culture describes how stakeholders confront and respond to risk

and uncertainty

15

Risk culture can be defined as the norms and traditions of behavior of

individuals and of groups within an organization that determine the way

in which they identify, understand, discuss and act on the risks the

organization confronts and takes.1

Benefits of a progressive risk culture

• Enhanced decision-making where uncertainty exists

• Stronger ability to adapt to a changing environment

• Improved recognition of diverse risk factors

• Better ability to react to unexpected crises

16

1Report Reform in the Financial Services Industry: Strengthening Practices for a More Stable System, Institute of International Finance, 2009.

Risk Appetite Statements and Tolerance Guidelines (example only)

17

Risk Appetite Category Low Tolerance Moderate Tolerance High Tolerance

Instructional Mission

Research Mission

Public Service Mission

Economic Development Mission

Safety Issues

Compliance with Laws & Regulations

Productivity & Creativity

Financial Reward

Reputation

Relative Risk Appetite by Category

Category 1

Category 2

Category 3

Category 4

Category 5

Category 6

Category 7

Category 8

Category 9

ERM Information System (ERMIS)

Assists with embedding the ownership, management, review and

reporting of risk to all stakeholders

Manages risks in a structured way

Reports across the enterprise

18

Risk Committees

19

Leverage expertise and leadership across the enterprise

Integrate ERM within the governance and management processes

Link critical risks with related planning activities

Working with the President’s office on a proposed structure

Ample involvement by campuses

Information & Response Framework

20

Evaluation Discovery Communication

Information Phase

Goal

s

Risk

Driv

ers

Risk Appetite Risk Tolerance

Budget Impacts

Response Phase

Activity Impacts

Critical Risk Reviews

Board of Trustees

Favored Response Strategies

Risk Owners Leadership

Monitor / Report

Unit Level ERM Process

21

Strategic Risks

• Impact Range <$100,000 to >$50 million • Stakeholder Focus – Global (University Wide & Campus) • Process – List your goals, identify & evaluate barriers, and

develop plan B

Unit Level Risks

• Impact Range <$25,000 to >$5 million • Stakeholder Focus – Unit • Process – List your goals, identify & evaluate barriers, and

develop plan B

What ERM Is What ERM Is Not

Strategic risk support

A portfolio approach to managing risks

that may span multiple University units

Value-adding to an organization’s goals

and objectives

A lean process designed to manage risk

without adding new costs

The “risk police”

Intrusive into an organization’s

operations

Burdensome

Data driven

Costly to implement and maintain

Insurance, safety or loss control

22

23

ERM at the University of Illinois is a partnering process designed to:

Identify material risks by fostering a risk dialogue with all University

stakeholders

Raise awareness of risk and uncertainty in all of our activities

Recognize risks that cross boundaries within the decentralized

structure

Provide support to manage risks

Questions?

Joda Morton Associate Director of Enterprise Risk Management jodamort@uillinois.edu 217-244-7480 ------------------------------------------------------------------------ Dan Mortland Assistant Vice President for Enterprise Services dmortlan@uillinois.edu 217-244-7483

24

Appendix

25

26

Acad

emic

Affa

irs

Busi

ness

& F

inan

ce

Com

plia

nce

Ex

tern

al R

elat

ions

Gov

erna

nce

& O

rgan

izat

iona

l

Hum

an R

esou

rces

Info

rmat

ion

Tech

nolo

gy

Med

ical

Rese

arch

Stud

ent

Affa

irs

Trea

sury

Urb

ana

- Ch

ampa

ign

Chic

ago

Sprin

gfie

ld

Uni

vers

ity W

ide

Internal Environment & Objective Setting

Risk Identification

Risk Response & Control Activities

Communication & Monitoring

Risk Assessment

Based on the widely employed framework developed by the Committee Of Sponsoring Organizations of the Treadway Commission (COSO)

Modified to incorporate the unique environment at the University of Illinois

Defines essential components, suggests a common language and provides clear direction and guidance for risk management

COSO

Process Organizational Impact

Risk Centers

Executive Perspectives on 2014 Top Risks2

1. Regulatory changes & heightened regulatory scrutiny 2. Economic conditions 3. Uncertainty surrounding political leadership 4. Succession, recruiting and retention challenges 5. Organic growth 6. Cyber threats 7. Organizational resistance to change 8. Privacy/identity management & information security 9. Anticipated volatility in global financial markets 10. Healthcare reform compliance costs

27

2North Carolina State University's ERM Initiative survey of board members and executives, seeking their views about the most pressing risks for their organizations in 2014

28

LIKELIHOOD

Score Definition

5 Almost certain; expected to occur

4 Likely; probably will occur

3 Possible; might occur at some time

2 Unlikely; could occur at some time

1 Rare; may occur

IMPACT

Score Definition

(Financial / Non-Financial)

5 Greater than $1 million

Extreme reputational impact

4 $0.5 million to $1 million

High reputational impact

3

$0.1 million to $0.5 million

Medium to low reputational impact

2 $5,000 to $0.1 million

Low to no reputational impact

1 Less than $5,000

No reputational impact

(Impact and Likelihood reflect existing controls)

Or

Or

Or

Or

Or

Alternative Impact Scale - $1 million Scale